ICO call for views on a direct marketing code of practice 


CO. 


Information Commissaner's Office 


It is important that organisations ensure their marketing activities are compliant with data 
protection legislation (the General Data Protection Regulation and Data Protection Act 2018) 
and, where necessary, the Privacy and Electronic Communications Regulations 2003 (PECR). 


The new code of practice will build on our current direct marketing guidance and address the 
aspects of the new legislation relevant to direct marketing such as transparency and lawful 
bases for processing, as well as covering the rules on electronic marketing (for example 
emails, text messages, phone calls) under PECR. 


The European Union is in the process of replacing the current e-privacy law (and therefore 
PECR) with a new ePrivacy Regulation (ePR). However the new ePR is yet to be agreed and 
there is no certainty about what the final rules will be. Because of this we intend for the 
direct marketing code to only cover the current PECR rules until the ePR is agreed. Once the 
ePR is finalised and the UK position in relation to it is clear we will produce an updated 
version of the code which takes this into account as appropriate. 


Please send us your views by 24 December 2018. 


Privacy statement 


For this call for views we will publish responses received from organisations but will remove 
any personal data before publication. We will not publish responses from individuals. For 
more information about what we do with personal data please see our privacy notice. 


Q1 


The code will address the changes in data protection legislation and the implications 
for direct marketing. What changes to the data protection legislation do you think we 
should focus on in the direct marketing code? 


There are a number of aspects of the General Data Protection Regulation (GDPR) 
that impact Direct Marketing, and it would be good for the legislation to be 
referenced where this is the case. These include, the changes in fair processing 
notice requirements particularly around naming third parties or naming categories of 
third parties; how the GDPR has impacted on the existing Privacy and Electronic 
Communications Regulation (PECR); the revised definition of consent; and the 
increased use of social media as an additional channel for marketing with the 


complexities that come with this in respect of the data protection relationships 
between advertisers and platform providers. 


Q2 


Q3 


Q4 


Apart from the recent changes to data protection legislation are there other 
developments that are having an impact on your organisation’s direct marketing 
practices that you think we should address in the code? 


Yes 
No 


If yes please specify 


We would welcome clarity around using the marketing tools of social media sites 
such as Facebook - the data protection relationship between the organisations can 
be complex with little room for negotiation; and the targeting aspect to personalised 
marketing can appear at odds, or at the very least create challenges, with data 
compliance requirements. A “do's” and “don'ts” or “pitfalls and/or top tips” for 
successful social media marketing would be really useful. This is an area which may 
benefit from case studies or practical examples to help people identify with their 
situation. It would also be beneficial to provide a full understanding of how 
external suppression services will sit alongside the Code, specifically the Telephone 
Preference Service and Corporate Telephone Preference Service (TPS and CTPS), the 
Mailing Preference Service (MPS) and the Fundraising Preference Service (FPS). 

One further comment, slightly unrelated, is that of how this Code and guidance fits 
in to the overarching legislation and regulatory environment. Like many 
organisations, we have a number of regulators who have all created their own 
guidance and advice on areas relating to fundraising and marketing and which touch 
on the data protection aspects of this. This includes organisations such as the 
Institute of Fundraising, the Fundraising Regulator and other regulatory bodies that 
sit across sectors, including the Gambling Commission, Advertising Standards 
Authority and Direct Marketing Association. How does the Code work with, for 
example, the relevant sections of the Fundraising Regulator’s Code of Fundraising 
Practice? or the Advertising Standards Authority’s CAP Code? Has the ICO 
“authorised” these guides and which should take precedent in the event of a 
difference of interpretation? We know that the ICO has entered into Memorandum 
of Understanding with many Regulators, but how can the guidance issued be done 
in a way that doesn’t cause confusion or overlap (particularly fo 


We are planning to produce the code before the draft ePrivacy Regulation (ePR) is 
agreed. We will then produce a revised code once the ePR becomes law. Do you agree 
with this approach? 


Yes 
No 


Q5 


If no please explain why you disagree 


We need a new and updated Code as soon as possible to take account of the 
substantial legal changes throughout 2018. We appreciate that further changes are 
on their way but believe it is appropriate and relevant to not wait for the ePrivacy 
Regulation (ePR). This is for two reasons. Firstly, there is a delay in approving and 
pushing through the legislation which leaves a question mark over whether the UK 
will be subject to this updated legislation following Brexit. Secondly, our 
understanding and interpretation of the revised ePR is that the marketing sections 
(apart from updating in respect of consent definition, including social media and the 
changes to business-to-business marketing) are substantially unchanged. 


Q6 


Q7 


Q8 


Q9 


Is the content of the ICO’s existing direct marketing guidance relevant to the marketing that 


your organisation is involved in? 


Yes 


No 


If no what additional areas would you like to see covered? 


We believe the guidance to be very relevant to our sector and fundraising activity. 
However, there is some repetition within the guidance, so perhaps a review of the 
structure and reduction in repetition would be valuable. Additionally, there are 
some areas of the guidance which are different depending on sector. It would be 
beneficial to have some further clarity around these sector nuances. For example, 
the soft opt-in for marketing is widely known as not being available to the Charity 
sector as fundraising is not considered a “good” or “service”. More clarity around 
this position and explanation of why it is considered acceptable for a sales or retail 
environment but not a fundraising environment where you have a pre-existing 
relationship with a supporter would be incredibly useful. Especially for those new 
to Direct Marketing, a glossary of terms in plain English would be helpful, which 
could include some clear descriptions of the legal basis for channels that can be 
used/is available to send Direct Marketing. 


Is it easy to find information in our existing direct marketing guidance? 


Yes 


[v] No 


If no, do you have any suggestions on how we should structure the direct marketing 
code? 


The current guidance, as a simple pdf document, does not make it very easy to 
search for specific areas. We understand that there is a need to read the guidance 
as a whole, but it would also be useful to be able to search specific areas for quick 
access. A digital version would be useful, and we would recommend something 
similar to the CAP Code, which is very clear and accessible in its online format. 
Specifically within the code, some suggestions include: e Providing a glossary of 
terms e« Separate out more definitively marketing to individuals as opposed to 
marketing to companies e Provide a checklist of what marketeers need to consider 
to ensure that their marketing is compliant e Include FAQs or a quick reference 
section 


Q10 


Q11 


Please provide details of any case studies or marketing scenarios that you would like 
to see included in the direct marketing code. 


A definition and explanation, with examples of what constitutes a marketing 
communication would be useful. Particularly, why does a consent ask amount to 
marketing if the remaining communication is more administrative or transaction in 
nature? Some Charity specific examples for fundraising communications would be 
good and, with particular relevance to the ‘soft opt-in’ comment above. For 
example, a previous event participant cannot be emailed about the following years 
event unless we have marketing consent - why? We also feel some digital case 
studies would be useful, for example using Facebook custom and lookalike audience 
functionality. 


Do you have any other suggestions for the direct marketing code? 


Some more detail and clarity around the business to business marketing rules would 
be useful, as this section currently is quite small. Especially as social platforms such 
as LinkedIn and other professional networking tools are becoming more prominent. 
Generally, social channels and direct marketing is something that is missing from 
the current code, and some specific guidance on using social media platforms and 
paid ads through Google would be very beneficial. With regards to our earlier 
comment in relation to how this works with other regulatory bodies, is it possible to 
make this Code the definitive Code for Marketing that all regulatory bodies use, as 
opposed to each body creating their own and separate codes? 


About you: 


Q12 Are you answering these questions as: 
a public sector worker 
a private sector worker 
a third or voluntary sector worker 
a member of the public 
a representative of a trade association 
a data subject 
an ICO employee 


other 
If you answered other, please specify: 


Q13 Please provide the name of the organisation that you are representing: 
Great Ormond Street Hospital Children's Charity 


Q14 We may want to contact you about some of the points you have raised. If you are 
happy for us to do this please provide your email address: 


BEE O 


Thank you for taking the time to share your views and experience. 


